Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #178

renovate · 2025-01-06T16:27:46Z

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/go-git/go-git/v5	`v5.12.0` -> `v5.13.0`

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

`v5.13.0`

Compare Source

What's Changed

build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @dependabot in #1065
build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in #1068
build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in #1071
Properly support skipping of non-mandatory extensions by @codablock in #1066
git: Refine some codes in test and non-test. by @onee-only in #1077
plumbing: protocol/packp, client-side filter capability support by @edigaryev in #1000
build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @dependabot in #1078
plumbing: fix sideband demux on flush by @aymanbagabas in #1084
storage: dotgit, head reference usually comes first by @aymanbagabas in #1085
build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in #1091
build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in #1094
build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in #1093
git: Added an example for Repository.Branches by @johnmatthiggins in #1088
git: worktree_commit, Modify checking empty commit. Fixes #723 by @onee-only in #1050
plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @ggambetti in #1100
build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @dependabot in #1106
build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in #1107
Bumps Go versions and go-billy by @pjbgf in #1056
_examples: Fixed a dead link COMPATIBILITY.md by @gecko655 in #1109
build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @dependabot in #1115
build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @hbelmiro in #1124
build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in #1104
Add option approximating git clean -x flag. by @msuozzo in #995
Revert "Add option approximating git clean -x flag." by @pjbgf in #1129
Fix reference updated concurrently error for the filesystem storer by @Javier-varez in #1116
build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in #1134
utils: merkletrie, Align error message with upstream by @pjbgf in #1142
plumbing: transport/file, Change paths to absolute by @pjbgf in #1141
plumbing: gitignore, Fix loading of ignored .gitignore files. by @Achilleshiel in #1114
build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @dependabot in #1147
plumbing: transport/ssh, Add support for SSH @cert-authority. by @Javier-varez in #1157
build: run example tests during CI workflow by @crazybolillo in #1030
storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @SatelliteMind in #1138
git: Fix fetching missing commits by @AriehSchneier in #1032
plumbing: format/packfile, remove duplicate checks in findMatch() by @edigaryev in #1152
git: worktree, Fix file reported as Untracked while it is committed by @rodrigocam in #1023
build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in #1160
plumbing: filemode, Remove check for setting size of .git/index file by @nicholasSUSE in #1159
build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in #1163
Fix some lint warning and increase stalebot to 180 days by @pjbgf in #1128
adjust path extracted from file: url on Windows by @tomqwpl in #416
build: bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in #1164
Add RestoreStaged to Worktree that mimics the behaviour of git restore --staged ... by @ben-tbotlabs in #493
plumbing: signature, support the same x509 signature formats as git by @yoavamit in #1169
fix: allow discovery of non bare repos in fsLoader by @jakobmoellerdev in #1170
build: bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in #1178
build: bump golang.org/x/text from 0.17.0 to 0.18.0 by @dependabot in #1179
build: bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in #1184
Consume push URLs when they are provided by @mcepl in #1191
*: use gocheck's MkDir instead of TempDir for tests. Fixes #807 by @uragirii in #1194
build: bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in #1200
worktree: .git/index not correctly generated when running on Windows by @BeChris in #1198
git: worktree, Fix sparse reset. Fixes #90 by @onee-only in #1101
git: worktree, Pass context on updateSubmodules. Fixes #1098 by @onee-only in #1154
build: bump github.com/go-git/go-billy/v5 from 5.5.1-0.20240427054813-8453aa90c6ec to 5.6.0 by @dependabot in #1211
Update contributing guidelines by @pjbgf in #1217
build: bump github.com/ProtonMail/go-crypto from 1.0.0 to 1.1.1 by @dependabot in #1222
build: bump golang.org/x/sys from 0.26.0 to 0.27.0 by @dependabot in #1223
build: bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot in #1221
build: bump github.com/ProtonMail/go-crypto from 1.1.1 to 1.1.2 by @dependabot in #1226
build: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in #1232
build: bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 by @dependabot in #1231
build: General improvements around fuzzing by @pjbgf in #1229
build: bump golang.org/x/net from 0.30.0 to 0.32.0 by @dependabot in #1241
build: group dependabot updates for golang.org by @AriehSchneier in #1243
build: bump github/codeql-action from 2.22.11 to 3.27.6 by @dependabot in #1244
build: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /cli/go-git by @dependabot in #1246
build: bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in #1247
build: bump github.com/gliderlabs/ssh from 0.3.7 to 0.3.8 by @dependabot in #1248
add comment preventing people from creating invalid trees by @petar in #732
build: bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in #1250
plumbing: Properly encode index version 4 by @BeChris in #1251
Fix typos by @deining in #1148
Fix reset files in subfolders by @linglo in #1177
git: update switch cases by @hezhizhen in #1182
build: bump golang.org/x/net from 0.32.0 to 0.33.0 in the golang-org group by @dependabot in #1256
fix(1212): Fix invalid reference name error while cloning branches containing /- by @varmakarthik12 in #1257
pktline : accept upercase hexadecimal value as pktline length information by @BeChris in #1220
build: bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in #1260
build: bump github.com/elazarl/goproxy from 0.0.0-20240618083138-03be62527ccb to 1.2.1 by @dependabot in #1262
git: worktree_commit, sanitize author and commiter name and email before creating the commit object. Fixes #680 by @BeChris in #1261

New Contributors

@johnmatthiggins made their first contribution in #1088
@ggambetti made their first contribution in #1100
@gecko655 made their first contribution in #1109
@hbelmiro made their first contribution in #1124
@msuozzo made their first contribution in #995
@Javier-varez made their first contribution in #1116
@Achilleshiel made their first contribution in #1114
@crazybolillo made their first contribution in #1030
@SatelliteMind made their first contribution in #1138
@rodrigocam made their first contribution in #1023
@nicholasSUSE made their first contribution in #1159
@tomqwpl made their first contribution in #416
@ben-tbotlabs made their first contribution in #493
@yoavamit made their first contribution in #1169
@uragirii made their first contribution in #1194
@petar made their first contribution in #732
@deining made their first contribution in #1148
@linglo made their first contribution in #1177
@varmakarthik12 made their first contribution in #1257

Full Changelog: go-git/go-git@v5.12.0...v5.13.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate · 2025-01-06T16:27:48Z

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

9 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.20` -> `1.21`
`github.com/ProtonMail/go-crypto`	`v1.0.0` -> `v1.1.3`
`github.com/cyphar/filepath-securejoin`	`v0.2.4` -> `v0.2.5`
`github.com/go-git/go-billy/v5`	`v5.5.0` -> `v5.6.0`
`github.com/skeema/knownhosts`	`v1.2.2` -> `v1.3.0`
`golang.org/x/crypto`	`v0.21.0` -> `v0.31.0`
`golang.org/x/mod`	`v0.12.0` -> `v0.17.0`
`golang.org/x/net`	`v0.22.0` -> `v0.33.0`
`golang.org/x/sys`	`v0.18.0` -> `v0.28.0`
`golang.org/x/tools`	`v0.13.0` -> `v0.21.1-0.20240508182429-e35e4ccd0d2d`

renovate bot added the renovate Automated action from Renovate label Jan 6, 2025

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from b646e38 to 7a6433e Compare March 3, 2025 11:55

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 7a6433e to 9a8a91e Compare March 11, 2025 10:11

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 9a8a91e to abdee54 Compare April 8, 2025 10:48

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from 624e7b0 to 727a57a Compare May 9, 2025 16:01

renovate bot changed the title ~~Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]~~ Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] - autoclosed Jun 16, 2025

renovate bot closed this Jun 16, 2025

renovate bot deleted the renovate/go-github.com-go-git-go-git-v5-vulnerability branch June 16, 2025 00:30

renovate bot changed the title ~~Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] - autoclosed~~ Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] Jun 16, 2025

renovate bot reopened this Jun 16, 2025

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from 727a57a to ab20e02 Compare June 16, 2025 13:03

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from ab20e02 to 2d27996 Compare August 10, 2025 14:29

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]

d522c6e

renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 2d27996 to d522c6e Compare October 9, 2025 09:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #178

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #178

Uh oh!

renovate bot commented Jan 6, 2025 •

edited

Loading

Uh oh!

renovate bot commented Jan 6, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #178

Are you sure you want to change the base?

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #178

Uh oh!

Conversation

renovate bot commented Jan 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

Affected versions

Workarounds

Credit

CVE-2025-21614

Impact

Patches

Workarounds

Credit

Release Notes

v5.13.0

What's Changed

New Contributors

Configuration

Uh oh!

renovate bot commented Jan 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ Artifact update notice

File name: go.mod

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Jan 6, 2025 •

edited

Loading

`v5.13.0`

renovate bot commented Jan 6, 2025 •

edited

Loading